Discuss mailing list

["Dmitry S. Nikolaev" <dn AT mega-net.ru>]

Found this:

The Dogtag Certificate System is an enterprise-class open source Certificate Authority (CA). 

http://pki.fedoraproject.org/wiki/PKI_Main_Page

With best regards, Dmitry S. Nikolaev
virus_net

On 20.09.2017 08:43, Dmitry S. Nikolaev wrote:

Hi.

My investigation result: Best way (and only one way mine opinion) - OpenNIC need own CA and users need to install CA cert into their browsers.
As example of this is Webmoney with their auth with own SSL cert.

I will think about it later, maybe I can do CA with web-iface to obtain certs. It`s not easy question but I can take a try.

With best regards, Dmitry S. Nikolaev
virus_net

On 18.09.2017 06:50, Dmitry S. Nikolaev wrote:

Hi.

About  option 1: I can`t say anything yet because I need to investigate by myself too.

About option 2: I can say that you right and opennic need of something like startssl.com. Own CA with web-iface to obtain SSL cert for opennic users and domains.
Proxy may be an option but we still need to think about another ways.

With best regards, Dmitry S. Nikolaev

Moscow, Russia
phone: +7 (499) 678 8007 [ext. 6003]
fax: +7 (499) 678 8007 [ext. 7777]
www: http://www.mega-net.ru
mail: dnikolaev AT mega-net.ru
SIP URI: dnikolaev AT sip.mega-net.ru || dn AT sip.mega-net.ru

On 17.09.2017 11:25, Al Beano wrote:

Hi all,

I've done some digging around the WebExtension API, and I cannot find any way to resolve OpenNIC names in-browser, including the use of HTTPS.

There are two possible solutions:

1. create an extension which does not allow for HTTPS. Although there is no CA currently widely in operation on OpenNIC, aditaa is working on one and there is hope that things could change. Advertising an extension which doesn't support HTTPS would be conceding defeat. 

2. create an extension which does allow for HTTPS, through the use of a proxy server which we control. This is not ideal either, but I think it is the better of the two options: users of OpenNIC are already placing trust in the operators of T1 and T2 servers to answer queries honestly, so if the same people were operating the proxy server(s), the 'attack vector' for OpenNIC would remain much the same. This would also mean that the proxy server operators could choose which CAs to trust — as long as we only trust genuinely trustworthy CAs this would be a good thing because users wouldn't see a scary 'Untrusted certificate!' message and use of HTTPS would be a seamless experience. 

The only other potential issue with option 2 is that it could result in high resource usage, but if a few people contribute small VPSes with ~50mbps network I don't think there would be any problem. 

I'm interested to hear your opinions on this. Is a proxy server acceptable?

Obviously, I'd rather have the plugin support HTTPS 'properly' and if anyone knows how we might be able to so please let me know!

albino

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org